Tag Archives: ffiec

Latest report shows significant changes in the scale and type of attacks being executed, as recorded by one of the largest internet infrastructure companies that includes additional data sources. Akamai published their quarterly report today (January 23, 2013) and I am nearly through it … a few striking details that shift how I will recommend clients to identify; consider; and mitigate risks. The top two items that are significant (one obvious) and important include:

China held its spot as the #1 source of observed attack traffic at 33%, with the United States at #2 at 13% (Not a huge surprise but an affirmation for many)

The amount of attack traffic that was seen during the activist (Operation Ababil) DDoS attacks was ~60x larger than the greatest amount of traffic that it had seen before for similar activist-related attacks (The volume, intensity, and strategy of the attacks is important as most do not consider a SIXTY TIMES in factor in risk mitigation calculations)

About the Akamai State of the Internet report
Each quarter, Akamai publishes a “State of the Internet” report. This report includes data gathered from across the Akamai Intelligent Platform about attack traffic, broadband adoption, mobile connectivity and other relevant topics concerning the Internet and its usage, as well as trends seen in this data over time. Please visit www.akamai.com/stateoftheinternet

Senior leadership (board of directors, audit committee members, CIO, COO) must ensure these realities are absorbed into the organization’s business processes. Leadership and strategy shifts required to tackle these evolutions remains an executive responsibility.

“The 31-page proposal addresses how social media impacts compliance and legal risk, operational risk, reputational risk, and an increased risk of harm to consumers. While the agencies note that no additional regulations apply to social media, the relatively casual communication channels are not exempt from the rules, either.

According to the proposal, social media risk management programs should include a governance structure that includes how social media contributes to strategic goals, policies and procedures, third party due diligence, employee training, oversight, audit and compliance functions, and a reporting process.” – reference

Considering the velocity of the risks in this area and the lagging of legislation, it is fair to say that those even OUTSIDE the purview of the FFIEC, should strongly consider these as inputs to their compliance and security programs.

“The FFIEC invites comments on any aspect of the proposed guidance. It is specifically seeking comments on the following questions:

Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?

Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?

Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the Agencies should be aware?”

Yesterday I presented with Prat Moghe, the founder of Tizor, on the challenges faced by businesses. A broad topic, but we were primarily focused on the database administrators and those charged with the controls in place. While we go into great detail on the difficulties of manually evaluating controls in a checkbox manner, and I highlighted specific concerns on twitter (#nzdc) a more basic harm and cause emerged – most organizations have been approaching audits and controls in the wrong manner.

First off – consider what is the point of an/the audit? This answer may result in one of two prime responses:

The point is the Federal government and our industry cohorts don’t trust how we’ll do business, so we have to demonstrate particular safeguards and operating integrity base points to keep our operating license.

The second maybe, management is overseeing a massively complex organism, and only through third party verification and evaluation shall we know what in the world is right / wrong / or a complete waste.

Now both responses are right and there is nothing wrong with being more polar on any of these points, but there is a severe cost. Taking an audit as a checkbox approach means that the INTENT is not being satisfied (The classic Compliance does not equal Security is a prime example), and one should not be passing such audits – but that is not the focus of this post. Furthermore, conducting an audit in a manner where one simply responds and ties loosely together the controls for the sake of “the audit” every year translates to a complete loss in the possible savings that can be achieved from such events.
There is not doubt, audits are time consuming and resource intensive, and it is similar to a High-Stakes test. The difference is when you take a high stakes test and then take it again, you reuse the same information and have learned from the prior experience. Too often organizations do not have those lessons carried forward, because they are treated as one-time events and not integrated.

To be sure – auditors vary in skill, standards stretch the spectrum from prescriptive to principal based, and management / company culture severely impact how these evaluations are viewed and addressed. It is also true that without taking these lessons beyond the hour the audit occurs errors, expense, time, and resources, will forever and continually be lost.

Best Practice Advice:

Consider your audit plan for the year and how they can fit with your IT strategy and IT governance function as a part of the company governance program. Draft a charter that reflects how these audits work toward the companies goals, and how each audit enforces and ENRICHES the business operations.